Colleges and universities collect and maintain financial and private information for students, and educational institutions are therefore expected to protect that information and regularly test their cybersecurity measures and threats.
The United States Office of Management and Budget (“OMB”) recently released the 2019 Compliance Supplement, which provides guidance for auditors and institutions to maintain government compliance.
The 2019 Compliance Supplement includes a number of changes and enhancements to existing compliance requirements of the US Department of Education for Student Financial Assistance programs at colleges and universities. One important addition to the Student Financial Assistance compliance requirements is an obligation to comply with the Safeguards Rule of the Gramm-Leach-Bliley Act (“GLBA”), a law that requires financial institutions to explain how they protect consumers’ private information.
Higher education institutions must now ensure cybersecurity programs and internal risk assessment processes cover the following areas:
Employee training and management
Procedures for finding, stopping and responding to cyberattacks and IT system failures
Information technology (hardware, software, network, information storage and removal, etc.)
Regularly test or otherwise monitor the effectiveness of implemented safeguards
The 2019 Compliance Supplement now requires auditors to test cybersecurity readiness at higher education institutions by:
Designating a person responsible to oversee and coordinate the organization’s information security program;
Performing a risk assessment and testing to address all of the items above; and
Documenting appropriate safeguards to address each identified risk
The 2019 Compliance Supplement is effective for audits of fiscal years beginning after June 30, 2018.
BPM’s Information Security Assessment Services team has experience helping institutions navigate the new GLBA testing and compliance requirements.